Storage Account Firewall IPs for the CDN provider
Currently a user can only keep a blob firewall with the Verizon CDN
To achieve this it requires a user to input 40+ ips/cidrs just to keep sanity on their environment as well as forces them to only use Verizon CDN
The CDN providers IPs should by default, be handled in the blob firewall when a CDN is enabled on a blob.
1) create a storage account set the blob container to public
2) enable firewall rules but only whitelisting your IP and any Vnets you may have. (the irony here will come when you attempt to see a file via CDN)
3) enable CDN and use said storage blob for its origin
4) upload file into blob & attempt to view it through the CDN.
you will get authorization failed.
Obviously if you have a blob set to public and your using an internal service like a CDN this shouldn't be happening. but to resolve it you'll have to manually add in every IP for the CDN which can simply be handled for the end user. Not only is this not scalable as a provider may add, remove or change IP's but its unrealistic to expect a user to just "whitelist the world" as a solution.... the firewall is there for a reason.
Just got the same error. I was trying to setup blob firewall with Microsoft CDN, this should be a part of the "Allow trusted Microsoft services to access this storage account" option.